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ABSTRACT 

A workflow is a collection of steps that must be executed 
in some specific order to achieve an objective. A comput¬ 
erised workflow management system may enforce authorisa¬ 
tion policies and constraints, thereby restricting which users 
can perform particular steps in a workflow. The existence of 
policies and constraints may mean that a workflow is unsat- 
isfiable, in the sense that it is impossible to find an autho¬ 
rised user for each step in the workflow and satisfy all con¬ 
straints. In this paper, we consider the problem of finding 
the “least bad” assignment of users to workflow steps by as¬ 
signing a weight to each policy and constraint violation. To 
this end, we introduce a framework for associating costs with 
the violation of workflow policies and constraints and define 
the valued workflow satisfiability problem (Valued WSP), 
whose solution is an assignment of steps to users of mini¬ 
mum cost. We establish the computational complexity of 
Valued WSP with user-independent constraints and show 
that it is fixed-parameter tractable. We then describe an 
algorithm for solving Valued WSP with user-independent 
constraints and evaluate its performance, comparing it to 
that of an off-the-shelf mixed integer programming pack¬ 
age. 

Categories and Subject Descriptors 

D4.6 [Operating Systems]: Security and Protection— Ac¬ 
cess controls', F2.2 [Analysis of Algorithms and Prob¬ 
lem Complexity): Nonnumerical Algorithms and Prob¬ 
lems; H2.0 [Database Management): General— Security, 
integrity and protection 

General Terms 

Algorithms, Security, Theory 

Keywords 

workflow satisfiability, parameterized complexity, valued 
workflow satisfiability problem 


1. INTRODUCTION 

It is increasingly common for organisations to comput¬ 
erise their business and management processes. The co¬ 
ordination of the tasks or steps that comprise a computerised 
business process is managed by a workflow management sys¬ 
tem (or business process management system). A workflow 
is defined by the steps in a business process and the order in 
which those steps should be performed. A workflow is exe¬ 
cuted multiple times, each execution being called a workflow 
instance. Typically, the execution of each step in a workflow 
instance will be triggered by a human user, or a software 
agent acting under the control of a human user. As in all 
multi-user systems, some form of access control, typically 
specified in the form of policies and constraints, should be 
enforced on the execution of workflow steps, thereby restrict¬ 
ing the execution of each step to some authorised subset of 
the user population. 

Policies typically specify the workflow steps for which users 
are authorised, what Basin et al. call history-independent au¬ 
thorisations [2]. Constraints restrict which groups of users 
can perform sets of steps. It may be that a user, while 
authorised by the policy to perform a particular step s, is 
prevented (by one or more constraints) from executing s in 
a specific workflow instance because particular users have 
performed other steps in the workflow (hence the alterna¬ 
tive name of history-dependent authorizations m)' The con¬ 
cept of a Chinese wall, for example, limits the set of steps 
that any one user can perform [3], as does separation-of- 
duty, which is a central part of the role-based access control 
model [I]. We note that policies are, in some sense, discre¬ 
tionary, as they are defined by the workflow administrator in 
the context of a given set of users. However, constraints may 
be mandatory (and independent of the user population), in 
that they may encode statutory requirements governing pri¬ 
vacy or separation-of-concerns or high-level organisational 
requirements. 

It is well known that a workflow specihcation may be “un- 
satishable” in the sense that the combination of policies and 
constraints means that there is no way of allocating au¬ 
thorised users to workflow steps without violating at least 
one constraint. The workflow satisfiability problem is NP- 
hard [23] although relatively efficient algorithms have been 
developed on the assumption that the number of workflow 
steps is much smaller than the number of users that may 
perform steps in the workflow [7l[TTl[T7l[23]. Of course, the 
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objectives of the business process associated with a work- 
flow specification can never be achieved if the specification 
is unsatisflable. Hence, it is interesting to consider an ex¬ 
tended version of the workflow satisfiability problem that 
seeks the “best” allocation of users to steps in the event that 
the specification is unsatisflable. 

Accordingly, in this paper we study the valued workflow sat¬ 
isfiability problem (Valued WSP). Informally, we associate 
constraint and authorisation violations with a cost, which 
may be regarded as an estimate of the risk associated with 
allowing those violations. We then compute an assignment 
of users to steps having minimal cost, this cost being zero 
when the workflow is satisfiable. In a sense, our work is 
related to recent work on risk-aware access control H El 
1121 [19] , which seeks to compute the risk of allowing a user 
to perform an action, rather than simply computing an al¬ 
low/deny decision, and ensure that cumulative risk remains 
within certain limits. However, unlike related work, we focus 
on computing user-step assignments of minimal cost, rather 
than access control decisions. 

Our main contributions are: to define Valued WSP and 
determine its complexity; to prove that Valued WSP 
is fixed-parameter tractable for weighted user-independent 
constraints; to develop an algorithm to solve Valued WSP 
with user-independent constraints; to provide a compre¬ 
hensive experimental evaluation of our algorithm; and to 
demonstrate that the performance of our algorithm com¬ 
pares very favourably with an approach that uses the mixed 
integer programming solver CPLEX. Our experimental eval¬ 
uation shows our algorithm enjoys a substantial advantage 
over CPLEX as the number of steps grows, with our algo¬ 
rithm being able to deal far better with problem instances 
containing more than 30 steps. Moreover, our algorithm is 
far better at solving instances that are unsatisflable - pre¬ 
cisely those instances for which Valued WSP is relevant. 

In the next section, we define Valued WSP, having re¬ 
viewed relevant concepts from the literature, including the 
workflow satisfiability problem and user-independent con¬ 
straints. In Section [S] we prove that Valued WSP is 
fixed-parameter tractable for user-independent constraints 
and describe an algorithm based on the concept of a pat¬ 
tern, which is, informally, a compact representation of a set 
of similar plans for a user-independent constraint. In Sec¬ 
tion (4] we present our experimental results. This section 
also includes a method of representing Valued WSP as a 
mixed integer programming problem, which may be of use in 
subsequent research. We conclude the paper with a discus¬ 
sion of related work, a summary of contributions and some 
suggestions for future work. 

2. BACKGROUND AND PROBLEM 
STATEMENT 

We first briefly summarise relevant concepts from the lit¬ 
erature, including workflow authorisation schema, workflow 
constraints and the workflow satisfiability problem (WSP). 
We then explain how a constrained workflow authorisation 
schema can be extended to assign costs to plans that do not 
satisfy the schema’s policy and constraints. We conclude 
this section with a formal definition of Valued WSP. 


2.1 WSP 

A directed acyclic graph G = {V,E) is defined by a set of 
nodes V and a set of edges E C V x V . The reflexive, 
transitive closure of a directed acyclic graph (DAG) defines 
a partial order, where u ^ to if and only if there is a path 
from u to lu in G. We may write v ^ w whenever w ^ v. 
We may also write v < w whenever v ^ w and v ^ w. 

Definition 1. A workflow specification is defined by a 
directed, acyclic graph G = {S,E), where S is a set of steps 
and E C S X S. Given a workflow specification {S, E) and a 
set of users U, an authorisation policy for a workflow spec¬ 
ification is a relation A (I S x U. A workflow authorisation 
schema is a tuple (G, U, A), where G = (5, E) is a workflow 
specification and A is an authorisation policy. 

A workflow specification describes a sequence of steps and 
the order in which they must be performed when the work- 
flow is executed, each such execution being called a work- 
flow instance^ User u is authorised to perform step s only 
if (s, u) € Ao We assume that for every step s € S there 
exists some user u £ U such that (s, u) £ A (otherwise the 
workflow is trivially unsatisflable). 

Definition 2. Let {{S, E),U, A) be a workflow authori¬ 
sation schema. A plan is a function tt : T —>■ U, where 
T £ S. A plan tv is complete ifT = S. 


Definition 3. A workflow constraint has the form 
(T, 0), where T £ S and Q is a family of functions with 
domain T and range U. T is the scope of the constraint 
(T, 0). A constrained workflow authorization schema is a 
pair {{S, E),U, A,C), where {{S, E),U, A) is a workflow au¬ 
thorization schema and C is a set of workflow constraints. 


Informally, a workflow constraint (T, 0) limits the users that 
are allowed to perform a set of steps T in any given instance 
of the workflow. In particular, 0 identifies authorised (par¬ 
tial) assigments of users to workflow steps in T. More for¬ 
mally, let TV : S' ^ U , where S' C 5, be a plan. Given 
T £ S', we write tv\t to denote the function tv restricted 
to domain T; that is 7r|T(s) = rr(s) for all s £ T (and is 
undefined otherwise). Then we say tv : S' ^ U satisfies a 
workflow constraint (T, 0) if T 2 S' or tv\t £ 0. 

^In this paper, the ordering on the steps is not consid¬ 
ered. Prior work has shown that the ordering is irrelevant to 
the question of satisfi abil ity subject to certain assumptions 
about the constraints [ID, assumptions that are satisfied by 
the constraints considered in this paper. 

^In practice, the set of authorised step-user pairs, A, will not 
be defined explicitly. Instead, A will be inferred from other 
access control data structures. In particular, R^BAC - the 
rol e-an d-relation-based access control model of Wang and 
Li [23] - introduces a set of roles R, a user-role relation UR £ 
U X R and a role-step relation SA £ R x S from which it is 
possible to derive the steps for which users are authorised. 
Eor all common access control policies (including R^BAC), it 
is straightforward to derive A. We prefer to use A in order 
to simplify the exposition. 
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Definition 4. Given a constrained workflow authoriza¬ 
tion schema {{S,E),U,A,C), we say a plan tt : 5 —>■ f/ is 
valid if it satisfies every constraint in C and, for all t £ S, 
(^,7r(^)) € A. 

In practice, we do not define constraints by enumerating all 
possible elements of 0. Instead, we define different families 
of constraints that have “compact” descriptions. Thus, for 
example, we might define the family of simple separation- 
of-duty constraints, each of which is represented by a set 
{ti,t 2 }, the constraint being satisfied provided ti and t 2 are 
assigned to different users. 

A constraint (T, 0) is said to be user-independent if, for 
every 6 £ Q and every permutation ■. U U, o 9 £ Q, 
where 

.dof 

(j> o 9 :T U and o 9){s) = 4>{9{s)). 

Simple separation-of-duty constraints are user-independent, 
and it appears most constraints that are useful in prac¬ 
tice are user-independent [ 3 . In particular, cardinal¬ 
ity constraints and binding-of-duty constraints are user- 
independent. In this paper, we restrict our experimental 
evaluation to two particular types of user-independent con¬ 
straints (in addition to separation-of-duty constraints): 

• an at-least-r counting constraint has the form {T,r), 
where r ^ |r|, and is satisfied provided at least r users 
are assigned to the steps in T ; 

• an at-most-r counting constraint has the form {T,r), 
where r ^ |T|, and is satisfied provided at most r users 
are assigned to the steps in T. 

It is important to stress that our approach works for any 
user-independent constraints. We chose to use counting 
constraints because such constraints have been widely con¬ 
sidered in the literature (often known as cardinality con¬ 
straints). Moreover, counting constraints can be encoded 
using mixed integer programming, so we can use off-the-shelf 
solvers to solve WSP and to compare with the performance 
of our bespoke algorithms. 

We now introduce the workflow satisfiability problem, as 
defined by Wang and Li [23]. 


Workflow Satisfiability Problem (WSP) 

Input: A constrained workflow authorisation schema 
{{S,E),U,A,C) 

Output: A valid n : S ^ U or an answer that there 
exists no valid plan 


2.2 Fixed-Parameter Tractability of WSP 

A naive approach to solving WSP would consider ev¬ 
ery possible assignment of users to steps in the workflow. 
There are such assignments if there are n users and k 
steps, so an algorithm of this form would have complexity 
0{mn^), where m is the number of constraints. Moreover, 
Wang and Li showed that WSP is NP-hard, by reducing 


Graph Ai-Colorability to WSP with separation-of-duty 
constraints |23l Lemma 3]. 

The importance of finding an efficient algorithm for solving 
WSP led Wang and Li to look at the problem from the per¬ 
spective of parameterised complexity. Suppose we have an al¬ 
gorithm that solves an NP-hard problem in time 0{f{k)n'^), 
where n denotes the size of the input to the problem, k is 
some (small) parameter of the problem, / is some function 
in k only, and d is some constant (independent of k and 
n). Then we say the algorithm is a fixed-parameter tractable 
(FPT) algorithm. If a problem can be solved using an FPT 
algorithm then we say that it is an FPT problem and that 
it belongs to the class FPT [Il|20|. 

Wang and Li observed that fixed-parameter algorithmics is 
an appropriate way to study the problem, because the num¬ 
ber k of steps is usually small and often much smaller than 
the number n of users0 Wang and Li |23| proved that, 
in general, WSP is W[l]-hard and thus is highly unlikely 
to admit an FPT algorithm. However, WSP is FPT if we 
consider only separation-of-duty and binding-of-duty con¬ 
straints [ 23 ]. Henceforth, we consider special families of 
constraints, but allow arbitrary authorisations. Crampton 
et al. m obtained significantly faster FPT algorithms that 
were applicable to “regular” constraints, thereby including 
the cases shown to be FPT by Wang and Li. Subsequent re¬ 
search has demonstrated the existence of FPT algorithms for 
WSP in the presence of other constraint types [UdD]. Cohen 
et al. [7| introduced the class of user-independent constraints 
and showed that WSP remains FPT if only user-independent 
constraints are included. Note that every regular constraint 
is user-independent and all the constraints defined in the 
ANSI RBAC standard [T] are user-independent. Results of 
Cohen et al. |3 have led to algorithms which significantly 
outperform the widely used SAT-solver SAT4J on difficult 
instances of WSP with user-independent constraints [6l[IZ|- 

2.3 Valued WSP 

There has been considerable interest in recent years in mak¬ 
ing the specification and enforcement of access control poli¬ 
cies more flexible. Naturally, it is essential to continue to 
enforce effective access control policies. Equally, it is recog¬ 
nised that there may well be situations where a simple “al¬ 
low” or “deny” decision for an access request may not be ap¬ 
propriate. It may be, for example, that the risks of refusing 
an unauthorised request are less significant than the bene¬ 
fits of allowing it. One obvious example occurs in healthcare 
systems, where the denial of an access request in an emer¬ 
gency situation could lead to loss of life. Hence, there has 
been increasing interest in context-aware policies, such as 
“break-the-glass”, which allow different responses to requests 
in different situations. Risk-aware access control is another 
promising line of research that seeks to quantify the risk of 
allowing a request, where a decision of “0” might represent 
an unequivocal “deny” and “1” an unequivocal “allow”, with 
decisions of intermediate values representing different levels 
of risk. 


®The SMV loan origination workflow studied by Sc haad et 
al., for example, has 13 steps and identifies five roles [HI. It 
is generally assumed that the number of users is significantly 
greater than the number of roles. 
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Similar considerations arise very naturally when we con¬ 
sider workflows. In particular, we may specify authoriza¬ 
tion policies and constraints that mean a workflow specifi¬ 
cation is unsatisfiable. Clearly, this is undesirable from a 
business perspective, since the business objective associated 
with the workflow can not be achieved. There are two possi¬ 
ble ways of dealing with an unsatisfiable workflow specifica- 
tion:(i) modify the authorization policy and/or constraints; 
(ii) find the “least bad” complete plan. Prior work by Basin, 
Burri and Karjoth considered the former approach m- They 
restricted their attention to modification of the authorisa¬ 
tion policy, what they called administrable authorizations. 
They assigned costs to modifying different aspects of a pol¬ 
icy and then computed a strategy to modify the policy of 
minimal cost. 

We adopt a different approach and consider minimising the 
cost of “breaking” the policies and/or constraints. (We will 
compare our approach to Basin et al. in the related work 
section.) Informally, given a workflow specification, for each 
plan TT, we define the total cost or weight associated with 
the plan u’(Tr). The problem, then, is to find the complete 
plan with minimum total cost. 


of steps that are assigned to unauthorised users increases. 
More formally, 

= 0 if (7r(t),t) £ A for all t, 

> 0 otherwise 

is the authorisation weight of tt. 

The definition of wa can be arbitrarily fine-grained. We 
could, for example, associate a weight uj{t, u) with every pair 
{t,u), where a zero weight indicates that u is authorised for 
t, and dehne 

= '^uj{t,n(t)). 
teT 

One particularly simple instantiation of this idea is to define 
a single weight w > 0 to be associated with every policy 
violation. In this case, wa('^) = acj, where a is the number of 
steps that are assigned to unauthorised users. Alternatively, 
we might distinguish between different types of users, so 
that, for example, assigning steps to external contractors 
is associated with a higher weight oje than the weight uji 
associated with assigning steps to (internal) unauthorised 
staff members. 


More formally, let {{S, E),U, A,C) be a constrained work- 
flow authorization schema. Let II denote the set of all pos¬ 
sible plans from S to U. Then, for each c £ C, we define a 
weight function iCc : II —>■ Z, where 

= 0 if TT satishes c, 

> 0 otherwise. 

The pair (c, Wc) is a weighted constraint. 

The intuition is that Wc(w) represents the extent to which 
TT violates c. Consider, for example, an at-most-r counting 
constraint {T,r). Then Wc(7i') depends only on the number 
of users assigned to the steps in T (and the penalty should 
increase as the number of users increases). Let 7r(T) denote 
the set of users assigned to steps in T. Then Wc{t^) = 0 if 
|7r(T)| Si r; for plans tt and tt', we have Wc(7t) = Wc(w') if 
j7r(T)| = |7r(T')|; and 0 < Wc(w) < Wc(7r') if r < |'7r(r)| < 
|7r'(T)|. Similarly, for an at-least-r constraint c with scope 
T, we would have Wc(n') = 0 if |7r(T)| ^ r; for plans tt 
and tt', we have Wc(7r) = Wc{tt') if |7r(r)| = |7r(T)|; and 
0 < Wc{tv) < Wc{tv') if |7r(T)| > |7r'(r)| > 0. 

Then we define 

wcM = ^ Wc{n), 
cec 

which we call the constraint weight of tt. Note that wc{w) = 
0 if and only if tt satishes all constraints in C. Note also that 
wc{w) need not be dehned to be the linear sum: wcij^) may 
be dehned to be an arbitrary function of the tuple (uic(7r) : 
c € C) and Theorem [T] below would still hold. However, 
we will not use this generalisation in this paper, but simply 
remark that it is possible, if needed. 

We next introduce a function wa : II —> Z, which assigns a 
cost for each plan with respect to the authorisation policy. 
The intuition is that a plan in which every user is authorised 
for the steps to which she is assigned has zero cost and the 
cost of a plan that violates the policy increases as the number 


We may now define the valued workflow satisfiability prob¬ 
lem, which will be the subject of the remainder of the paper. 


Valued WSP 

Input: A constrained workflow authorisation schema 
{{S, E), U, A, C) with weights for constraints 
and authorisations, as above. 

Output: A plan tt : S' —> 1/ that minimises 
w{'k) = Wc{7v) + Wa{tt). 


Before proceeding further, however, we introduce a weight 
function that is more fine-grained than those considered 
above, and the one that we shall use in the remainder of 
this paper. Specifically, for each user u and each subset T 
of S, we define a weight u}{T, u) £ Z, where 

= 0 if (it, t) G A for all t G T, 

> 0 otherwise. 

We call ui : 2^ xU the [weighted) set-authorisation function. 
Vacuously, we have ui(%,u) = 0 for all u G U. We write 
7r~^(u) to denote the set of steps to which u is assigned by 
plan TT. Then we define 

u^U 

Clearly, this form of authorisation weight satisfies the re¬ 
quired criteria. 

We base wa on weights of the form uj[T, it) because, in addi¬ 
tion to allowing us to specify weights for every pair [t, u) if 
required, it allows us to express more complex (“non-linear”) 
costs on plans. For example: 
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1. We can introduce a large penalty iu[T,u), effectively 
saying we prefer not to involve it in steps in T. (We use 



weights like this in our experimental work, described 
in Section [4]) 

2. We can define a limit I on the number of steps that can 
be executed by u, by setting a large penalty uj{T, u) for 
all T of cardinality greater than £. 

3. We can attempt to minimise the number of involved 
users by giving a small penalty for assigning a user to 
at least one step. This is similar to item 1 above, albeit 
with a different goal. 

4. The weights associated with the same user execut¬ 
ing different steps may not increase linearly. Once a 
user has performed one particular unauthorized step, 
the additional cost of executing a related unauthorized 
step may be reduced, while the additional cost of exe¬ 
cuting an unrelated unauthorized step may be the same 
as the original cost. Our formulation enables us to 
model this kind of situation. 

5. We can implement separation-of-duty on a per-user ba¬ 

sis, which is not possible with user-independent con¬ 
straints. In particular, it may be acceptable for wi to 
perform steps si and S 2 , but not U 2 , in which case 
tu({si, S2}, ui) would be small, while S2}, U2) 

would be large. 


The next claim is an important observation following di¬ 
rectly from the definitions above. 


Proposition 1 . The optimal weight of an instance of 
Valued WSP equals zero if and only if the corresponding 
WSP instance is satisfiable. 

3. SOLVING VALUED WSP WITH USER- 
INDEPENDENT CONSTRAINTS 

In Section o we introduce the notion of weighted user- 
independent constraints and prove that Valued WSP 
with only user-independent constraints is fixed-parameter 
tractable (FPT). In Section [3.21 we describe an FPT algo¬ 
rithm to solve Valued WSP with user-independent con¬ 
straints. 

3.1 Weighted User-Independent Constraints 
and Patterns 

A weighted constraint c is called user-independent if, for 
every permutation 6 of U, wc(t^) = wc{0 ° tt). Thus, a 
weighted user-independent constraint does not distinguish 
between users. Any (weighted) counting constraint for 
which the weight of plan tt is defined in terms of the cardi¬ 
nality of the image of tt is user-independent. 

Given a plan tt : S' ^ U, where S' C S, the pattern P{tv) 
of TT is the partition { 7 r“^(u) : u £ U, 7 ^ 0} of 

S' into non-empty sets. We say that two plans tt and tt' 
are equivalent if they have the same pattern. If all con¬ 
straints are user-independent and tt and it' are equivalent, 
then wc(tt) = wc{tt'). A pattern is said to be complete if 
S' = S. 

Generalising the corresponding result for WSP with user- 
independent constraints [3 Theorem 2], we can prove the 


following theorem, which uses weighted set-authorisation. 
We assume(i) that the weight of each assignment can be 
computed in time polynomial in the number of steps, users 
and constraints (denoted k, n and m, respectively); (ii) we 
can determine whether a plan satisfies a constraint in time 
polynomial in the number of steps and users. 


Theorem 1. Valued WSP in which all constraints are 
user-independent can he solved in time 2*^*°®*^(fe-|-n-|-m)'^^^\ 
Thus, Valued WSP with user-independent constraints is 
FPT. 

Proof. For a positive integer x, let [i] = {1,..., x}. Re¬ 
call that for equivalent complete plans tt and tt' , we have 
wciir) = wc{tt'). However, wa(tt) = WA ( 7 r “^( w ), w ) 

is, in general, different from wa{tt') and so we must com¬ 
pute the minimum value of wa(tt) among all equivalent com¬ 
plete plans TT. To do so efficiently, for a complete plan tt, 
we first construct a weighted complete bipartite graph G,r 
with partite sets [p] and U, where p = |P('7r)| as follows. 
Let P{tt) = {ri,...,rp}. The weight of an edge {q,u\ is 

Now observe that = Gt, for every pair tt, tt' of equivalent 
complete plans and that wa{tt) equals the weight of the 
corresponding matching of Gn covering all vertices of [p]. 
Hence, it suffices to find such a matching of Gt, of minimum 
weight, which can be done by the Hungarian method [18] in 
time 0(n®). 

Observe that the number of partitions of the set [fc] into non¬ 
empty subsets, called the Bell number Bk, is smaller than k\ 
and there are algorithms of running time 0(i?fc) = 0(2**°®*^) 
to generate all partitions of [fc] |14| . Thus, we can generate 
all patterns in time 0(2*^ ^). For each of them we compute 

the corresponding complete plan of minimum weight, and, 
among all such plans, we choose the one of smallest weight. 
The total running time is 0(2*^ *^(fc-|-n-|-m)*^*-^^). □ 


Gohen et al. proved [7] that WSP with user-independent 
constraints cannot be solved in time 2 °*'*^*°®*^(fc-|-n-|-m)®^^^ 
unless the widely believed Exponential Time Hypothesicj 
fails. This and Proposition [T] imply that the FPT algorithm 
of Theorem [T] is optimal, in a sense. 


3.2 Pattern Branch and Bound 

We present a branch-and-bound algorithm (Algorithm]!]) for 
the Valued WSP. This algorithm is inspired by the Pat¬ 
tern Backtracking algorithm for the WSP HZ]. However, 
the original algorithm solves a decision problem, whereas 
the Valued WSP is an optimisation problem. Thus our 
algorithm for Valued WSP requires a completely differ¬ 
ent algorithmic framework. We call our algorithm for the 
Valued WSP Pattern Branch and Bound (PBB). Given a 
pattern P, we will write T{P) = UpgpP denote the set 
T C 5 on which P is the partition. 


The general idea of the algorithm follows the proof of Theo¬ 
rem [T] The algorithm explores the space of patterns with a 

■^The Exponential Time Hypothesis claims there is no algo¬ 
rithm of running time O* (2°*-"^) for 3SAT on n variables [1^ . 
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Algorithm 1: Entry point of the PBB algorithm, 
input : Valued WSP instance W 
output: The optimal complete plan for W 
A A(TV), where X{W) is the global lower bound; 

TT ■<— H{W), where H{W) is a Valued WSP heuristic; 
return explore{(li, n, X); 


beginning of the search (line [2] of Algorithm [T]). In a sim¬ 
ple implementation, the global lower bound X{W) could be 
a constant function X{W) = 0; that would terminate the 
algorithm as soon as a complete plan satisfying all the con¬ 
straints and authorisations is found. The heuristic algorithm 
can be as simple as a trivial plan assigning some user to all 
the steps S. 


Algorithm 2: Recursive procedure explore{P,n*, X) of the 
PBB algorithm. 


1 
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input : Node P of the search tree; best plan tt* found so 
far; the global lower bound A 

output: The best plan found after exploring this branch of 
search 

if P IS a complete pattern then 

Let tt' be an optimal plan with pattern P; 
tt" t- argmin^g{^/,^.} w(7r); 
else 

f/ , * 

TT <— TT ; 

Select s € S \ T{P) maximising 7(P, s); 
forall the extensions P' of P with step s do 
if L{P') < w{tt") and wijr'') > A then 
Let tt' t— explore{P',n”,X)\ 

|_ tt" argmin^g{^/,^//} w(7r); 


11 return tt”; 


depth-first search and for each complete pattern P seeks an 
optimal plan tt such that P(7r) = P (recall that such a plan 
can be found efficiently). Each node of the search tree is a 
pattern, with the root being an empty pattern and leaves 
being complete patterns. In each non-leaf node P, the al¬ 
gorithm selects a step s £ S such that s 0 T{P) (line [6] of 
Algorithmic, and generates one child node for each possi¬ 
bility to extend P with s ('line llOD . By extensions of P with 
step s we mean patterns P' obtained from P by adding s to 
one of the subsets p € P or adding a new subset {s} to the 
partition; hence, there are |P| + 1 extensions of P. 

Like any branch-and-bound algorithm, PBB utilises a lower 
bound L{P) for pruning branches. The lower bound L{P) 
in a node P is computed as follows: 

L(P) = ^ Lc(P) + ^ mmuj{p,u ), 

' ^ ‘ ^u^U 

cGC pGP 

where Lc{P) is the lower bound of Wc{it), where tt is an 
extension of a plan with pattern P. The implementation 
of Lc{P) depends on the constraint type. For example, for 
a counting constraint c with the scope T and weight func¬ 
tion Wc(tt) = a;c(|7r(r)|), the lower bound can be computed 
as Lc{P) = l{q,a), where q = \{p £ P ■ pHT ^ 0}|, 
a= |rnr(P)| and l{q,a) is the following recursive func¬ 
tion: 

n ifa=|T|, 

’ 1 min{f((jt, a-I-1), Z(g-I-1, a-I-1)} otherwise. 


In our implementation, however, we translate the Valued 
WSP instance W into WSP instances and solve them to 
obtain better global lower bound and upper bound. Let 
WSP(TV, a;) be a WSP instance obtained from W by elimi¬ 
nating all the constraints and authorisations with penalties 
below X and converting the rest of the constraints and autho¬ 
risations into hard constraints. By solving WSP(VE, a:) we 
establish either the global lower bound or the upper bound. 
If WSP(1V, a;) is unsatisfiable, we conclude that there ex¬ 
ists no complete plan tt such that w(tt) < x and, hence, 
X{W) = X. Otherwise, the plan valid in WSP(1V, a:) can be 
used for an upper bound in W. We start from solving the 
WSP(1V, 1) and, if it turns out to be unsatisfiable, we solve 
the WSP(1V, M), where M is a large enough number, which 
usually gives us a good upper bound as it rules out plans 
that break highly-penalised constraints. 

The order in which patterns are extended (a step at a time) 
makes no difference to the worst-case time complexity of the 
algorithm but is crucial to its performance in practice [n]. It 
is defined by the ‘importance’ function 1{P, s), the intention 
being to focus on the most important steps as early as pos¬ 
sible to quickly prune fruitless branches of the search. The 
importance of a step mostly depends on the constraints that 
include the step in their respective scopes. For example, if 
a step is involved in several separation-of-duty constraints, 
adding it to the pattern may significantly reduce the search 
space and possibly result in increased penalties for some at- 
most constraints. Another example is if most of the steps 
of some constraint’s scope are assigned, and adding the re¬ 
maining steps to the pattern may have a severe effect on 
the penalty for that constraint. The ‘importance’ metric is 
context-dependent, i.e. the order of steps needs to be deter¬ 
mined dynamically in each branch of the search tree. 

The ‘importance’ function I{P,s) is a heuristic expression 
which we parametrised and optimised by an automated pa¬ 
rameter tuning method. Our function I{P,s) takes into ac¬ 
count the number and types of the constraints in which the 
step is involved. In addition, it accounts for the constraints 
with incomplete scopes. Finally, we check intersections of 
‘conflicting’ constraints such as at-most and not-equals or 
at-most and at-least. 

As shown in the proof of Theorem [U finding the optimal 
assignment of users given a fixed pattern can be done in 
0(n®) time (if computing wc{tt) takes 0(n®) time and com¬ 
puting uj{T,u) takes 0{n^/k) time). Each non-leaf node of 
the search tree has at least two child nodes and, hence, the 
size of the search tree is within 0{Bk)- Then the worst case 
time complexity of the PBB algorithm is O(Bkn^)- 


Other speed-ups implemented in the PBB algorithm include 
a global lower bound A (IV) (line [T] of Algorithm [T]) and the 
heuristic H(W) to obtain a good upper bound from the very 
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With the exception of the ‘step importance’ function /(P, s), 
which is easy to adjust for any type of instances, and the 
lower bound L{P), our algorithm is a generic solver for the 












user-independent Valued WSP. For example, it does not 
exploit the specifics of the counting constraints which could 
be used to preprocess problem instances [7]. This shows that 
our approach is generic, easy to implement and its perfor¬ 
mance can be further improved by implementing instance- 
specific speed-ups. 

4. EXPERIMENTAL RESULTS 

The pseudo-Boolean SAT solver SAT4J has been used to 
solve the WSP [23]. Recent work has demonstrated that a 
bespoke pattern-based algorithm can outperform SAT4J in 
solving WSP in [17| . Integer linear programming has been 
used by Basin et al. to solve the allocation existence prob¬ 
lem [2], which is related to Valued WSP. In this section, 
we describe the experimental work on Valued WSP that 
we have undertaken. In particular, we will compare the per¬ 
formance of our PBB algorithm to that of the state-of-art 
commercial MIP solver in our computational experiments 
on Valued WSP. We first describe the problem instances 
we used and how we represented Valued WSP as a mixed 
integer programming (MIP) problem. We then present the 
results of our experiments. 

4.1 Benchmark Instances 

We use a pseudo-random instance generator to produce 
benchmark instances. Our generator is an extension of an 
existing instance generator for WSP m- The parameters 
of the generator are the number k of steps in the instance, 
the not-equals constraints density d in the range 0-100%, 
the multiplier a for the number of constraints and the seed 
value for initialisation of the pseudo-random number gener¬ 
ator. The generator produces an instance with k steps and 
lOfc-l-lO users: lOA: employees U' and 10 external consultants 
U”. The penalty for assigning steps T C S' to an employee 
u G U' is given by 

oj{T,u) = |TnB| • 10-b |r\ (AUB)I • 10®, 

where A G S and B G S are selected uniformly at random 
from S, with An B — 0 and |A| being selected uniformly at 
random from [1, \{k — 4)/2]], and |B| = 2. The penalty for 
assigning steps T C S to an external consultant u G U" is 
given by 

'O ifr = 0, 

j 20 if T / 0 and T C A, 

’“I - ' 106 . |y\^| ifTCS\A, 

_ 10® • |r \ A| -|- 20 otherwise, 

where A C S is selected uniformly at random having selected 
|A| uniformly at random from [1, [fc/4]]. 

Further, [(dfc(fc — 1) -|- 1)/2J distinct not-equals constraints 
are produced uniformly at random, each with penalty 10® 
for assigning one user to both steps. Finally, ak at-most-3 
constraints and ak at-least-3 constraints are generated uni¬ 
formly at random. The scopes of all the at-most-3 and 
at-least-3 constraints are set to 5 steps. The at-least-3 
penalties are defined as tUc(l) = 10®, ujc(2) = 1, u)c{S) = 
Wc(4) = 0Jci5) = 0. The at-most-3 penalties are defined as 
ojcll) = cjc(2) = ujc{3) = 0, lOc{4:) = 5 and 0Jc{5) — 10. 

4.2 Mixed Integer Programming Formulation 


In order to use an MIP solver, we propose an efficient MIP 
formulation of the Valued WSP. Note that the MIP for¬ 
mulation is specific to the particular constraints present in 
the instances, unlike the PBB algorithm. In this section we 
describe an MIP formulation for the instances described in 
Section \u\ 

Let C = C< U C>, where C< is the set of at-most-r con¬ 
straints and C> is the set of at-least-r constraints. (Note 
that not-equals constraints can be modelled as at-least-2 
constraints with the scope of two steps.) For each constraint 
c G C we are given its scope Tc C S, the minimum (maxi¬ 
mum, respectively) number Vc of users that can be assigned 
to c € C such that the at-most (at-least, respectively) con¬ 
straint c is satisfied and the penalty tUc(g) for assigning q 
distinct users to Tc (note that cjc(rc) = 0). 

For each employee u G U' and each step s G S \ A(u) we 
are given an additive weight lOsu > 0 of assigning u to s, 
which models the penalties for steps in both B{u) and S \ 
{A{u) U B{u)). For each consultant u G U” we are given a 
set of steps A{u) G S, any of which can be assigned to u for 
a penalty ljJu > 0, and a weight > 0 for assigning a step 
s G S \ A{u) to u. 

The complete plan in our formulation is defined by binary 
decision variables Xsu, s G S, u G U. Variable Xsu takes 
value 1 if step s is assigned to user u and 0 otherwise. The 
Valued WSP is then encoded in (|T || " (I14D : 

\Tc\ 

minimise E E (^c(9) ^c{(} l))pcq 

c£C^ q=rc + l 
rc — 1 

+ E E (iOciq) — 0Jc[q + l))Pc(i 

t:ec> 9=1 

-F E E ^su'^su 

u£U' sGS\A{u) 

+ ^ ^ (j-^uZu + E E Xsu (1) 

u£U" u£U" s^S\A(u) 

subject to 

Xsu = 1 for s € S', (2) 

uGU 

\Tc\ 

yen - ^ Pcq < Tc for each cG C<, (3) 

u^U (j=rc + l 

Pcq — Pc. 9-1-1 > 0 for c G and g = rc + 1,.. ., iTd — 1, 


(4) 

^ Peu + ^ Pcq > Vc for each c G C>, (5) 

uGU < 3=1 

Pcq — Pc. 9-1-1 < 0 for c € and p = 1, 2,.. ., rc - 2, (6) 

Veu — Xsu > 0 for each c G C<, u G 17 and s G Tc, (7) 

Veu E Xsu < 0 for each c G C> and u G U, (8) 

Zu — Xsu > 0 for each u G U" and s G A(ii), (9) 

Xsu G {0, 1} for s G S and u G U, (10) 

0 < Veu < 1 for c G C and u G U, (11) 
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Pcq G {0, 1} for c G C< and g = rc + 1,..., \Tc\, (12) 

Pcq G {0, 1} for c€ C> and q = 1, 2,..., — 1, (13) 

0 < Zu < 1 for 16 G U”. (14) 

In addition to binary variables Xau, we introduce some other 
variables. Binary variables ycu, c £ C, u £ U determine if 
user u is assigned to some steps in the scope Tc of constraint 
c. Since ycu for c G C< is minimised and it is limited from 
below by binary expressions 0. its integrality constraint 
can be waived. Since ycu for c G C> is maximised and it 
is limited from above by binary expressions (ISJ, its inte¬ 
grality constraint can also be waived. Similar logic applies 
to Zu, which indicates if the consultant u G U” is assigned 
any steps in B{u). Finally, we introduce the binary vari¬ 
ables Pcq for each c G C and q G N such that Wc{q) > 0. 
These variables are responsible for the constraint penalties 
and (with appropriate limitations imposed on the instances, 
as our instance generator does) the integrality of Pcq and 
constraints 0 and can be waived. 

The objective function m is the weight of the plan defined 
by Xsu, and thus our aim is to minimise it. 

4.3 Experimental Results 

We conducted a series of computational experiments to test 
the performance of the Valued WSP solution methods. 
Our test machine is powered by two Intel Xeon CPU’s E5- 
2630 v2 (2.6 GHz) and has 32 GB RAM installed. The 
PBB algorithm is implemented in C#, and the MIP formu¬ 
lation is solved with CPLEX 12.6. In all our experiments, 
each solver run is allocated exactly one physical CPU core. 
Each result is reported as an average over 100 runs for 100 
instances obtained by changing the random generator seed 
value. 

Main computational results are reported in Table [T] The 
columns k, d and a indicate the parameters of the instances. 
For each combination of parameters, 100 instances were gen¬ 
erated. The column “Sat.” reports the percentage of the 
instances that are satisfiable. The column w{'k) shows the 
average weight of the optimal complete plans. The other 
columns compare the MIP-based solver to the PBB algo¬ 
rithm. Each of them is given one hour for each instance. The 
“Solved” columns show the percentage of instances success¬ 
fully solved within the one hour limit by each of the solvers. 
The “Time, sec” columns show the average time taken by 
each of the approaches. If at least one of the runs failed 
for a solver, a question mark is shown in the corresponding 
cell of the table. The wc(Tr) and WA(Tr) columns show the 
components of the weight corresponding to the constraints 
and the authorisations penalties, respectively. For those pa¬ 
rameters where at least one of the runs failed, we use the 
“Best w(7r)” columns to to report the average weight of the 
best plan obtained by each of the solvers. 

For each k, Table [1] includes a range of instances starting 
from lightly constrained instances, which are mostly satisfi¬ 
able, to highly constrained instances, none of which is sat¬ 
isfiable. Naturally, the most interesting instances from the 
perspective of Valued WSP are those that are unsatisfi- 
able (since it is necessary to find an optimal plan of non¬ 
zero weight for such instances). We are most interested in 


the unsatisfiable instances with moderate weights of the op¬ 
timal complete plans. A small weight w{tt) indicates that 
only a few minor exceptions are needed to implement the 
complete plan tt. With such a plan, it is easy to identify 
the bottleneck of the problem and refine it or accept the ex¬ 
ceptions to the constraints as the exceptions are likely to be 
mild. The wc{'^) and wa('^) columns show that in most of 
the cases the authorisations were not broken. In fact, there 
were only a few highly-constrained instances in which the 
the optimal complete plans assigned some steps to consul¬ 
tants, as the penalty for doing that is relatively high in our 
instances. 

The complexity of the instances depends to a great extent on 
the number of steps k and the parameters of the instances. 
While small lightly-constrained instances can be easily tack¬ 
led by either of the solvers, other instances clearly require 
an efficient algorithm. The MIP solver succeeds with all the 
instances of size fe = 20 but fails to solve many of the larger 
instances within an hour. The PBB algorithm demonstrates 
a much better performance, solving all the instances of size 
up to fc = 30 and the majority of the instances of size k = 35. 
It is worth noting that the running time of the MIP solver 
can reach 10 minutes for fc = 20 while the PBB solver solves 
all such instances within a fraction of a second. 

Exact algorithms for solving hard optimisation problems 
will, necessarily, take a long time to compute results for 
certain instances. However, such an algorithm may find an 
optimum or near-optimum result long before the whole so¬ 
lution space has been searched and can thus be used to com¬ 
pute a reasonable solution for instances that do not run to 
completion. The Best w{tt) column in Table [T] clearly shows 
that MIP is far less suitable than PBB for this purpose. 

To establish the practical limit on the problem size that 
each of the solvers can tackle within a reasonable time, we 
conducted another experiment to determine the number of 
instances that the two solvers could solve given at most one 
hour for each instance. Figure [T] shows the results of the 
experiment. Each result is averaged over 100 experiments 
for each instance. 

Figure [T^ shows the performance of the methods on highly 
constrained instances. Being given one hour, PBB solves 
100% of the instances of size up to fc = 32. In contrast, 
MIP can only reliably manage instances for k < 22, and for 
fc = 32 it fails to solve any instances at all. Figure fTbl reports 
the results of the same experiment but for less constrained 
instances. The results are broadly similar, with PBB solv¬ 
ing all the instances of up to fc = 44, whereas MIP fails 
for some instances when k > 24. This experiment shows 
that the PBB algorithm significantly extends the range of 
solvable instances of Valued WSP, something that will be 
important for large real-world workflow specifications. Con¬ 
sidering that the running time of each of the methods grows 
exponentially with the size of the problem (see appendix), 
large instances of Valued WSP would require enormous 
computational power to be solved with MIP, while the PBB 
algorithm tackles them within minutes on a regular machine. 


5. RELATED WORK 


k 

d 

a 

Sat. 

w{tt) 

Solved 

Time, 

sec 

Wei 

tt) 

wa{ 

tt) 

Best 

w(7r) 

PBB 

MIP 

PBB 

MIP 

PBB 

MIP 

PBB 

MIP 

PBB 


MIP 

20 

10 % 

0.50 

100 % 

0.0 

100 % 

100 % 

0.0 

5.9 

0.0 

0.0 

0.0 

0.0 

— 


— 

20 

20 % 

0.50 

90% 

0.4 

100 % 

100 % 

0.0 

19.8 

0.4 

0.4 

0.0 

0.0 

— 


— 

20 

30% 

0.50 

37% 

4.0 

100 % 

100 % 

0.0 

65.0 

3.8 

4.0 

0.2 

0.0 

— 


— 

20 

10 % 

1.00 

18% 

4.4 

100 % 

100 % 

0.1 

556.0 

4.3 

4.2 

0.1 

0.2 

— 


— 

20 

20 % 

1.00 

0 % 

14.2 

100 % 

100 % 

0.1 

532.9 

13.5 

13.8 

0.7 

0.4 

— 


— 

20 

30% 

1.00 

0 % 

24.3 

100 % 

100 % 

or 

469.9 

23.4 

23.5 

0.9 

0.8 



— 

25 

10 % 

0.50 

100 % 

0.0 

100 % 

100 % 

0.0 

32.0 

0.0 

0.0 

0.0 

0.0 

— 


— 

25 

20 % 

0.50 

93% 

0.4 

100 % 

100 % 

0.0 

102.2 

0.4 

0.4 

0.0 

0.0 

— 


— 

25 

30% 

0.50 

27% 

5.0 

100 % 

100 % 

0.0 

319.3 

5.0 

5.0 

0.0 

0.0 

— 


— 

25 

10 % 

1.00 

40% 

2.3 

100 % 

39% 

0.3 

7 

2.3 

7 

0.0 

7 

— 


4.1 

25 

20 % 

1.00 

0 % 

14.3 

100 % 

66 % 

0.8 

7 

13.7 

7 

0.6 

7 

— 


14.9 

25 

30% 

1.00 

0 % 

29.9 

100 % 

95% 

2.0 

7 

28.9 

7 

1.0 

7 

— 


29.9 

30 

10 % 

0.50 

100 % 

0.0 

100 % 

100 % 

0.0 

72.2 

0.0 

0.0 

0.0 

0.0 

— 


— 

30 

20 % 

0.50 

88 % 

0.6 

100 % 

99% 

0.0 

7 

0.6 

7 

0.0 

7 

— 


0.6 

30 

30% 

0.50 

24% 

5.7 

100 % 

99% 

0.1 

7 

5.7 

7 

0.0 

7 

— 


5.7 

30 

10 % 

1.00 

6 % 

5.8 

100 % 

3% 

5.1 

7 

5.7 

7 

0.1 

7 

— 


14.9 

30 

20 % 

1.00 

0 % 

22.8 

100 % 

7% 

36.3 

7 

22.4 

7 

0.4 

7 

— 


31.5 

30 

30% 

1.00 

0 % 

43.5 

100 % 

31% 

173.7 

7 

43.2 

7 

0.3 

7 

— 


52.8 

35 

10 % 

0.50 

100 % 

0.0 

100 % 

100 % 

0.0 

195.9 

0.0 

0.0 

0.0 

0.0 

— 


— 

35 

20 % 

0.50 

91% 

0.4 

100 % 

89% 

0.2 

7 

0.4 

7 

0.0 

7 

— 


0.6 

35 

30% 

0.50 

13% 

7.7 

100 % 

68 % 

18.5 

7 

7.7 

7 

0.0 

7 

— 


8.0 

35 

10 % 

1.00 

3% 

6.2 

100 % 

0 % 

64.7 

7 

6.2 

7 

0.0 

7 

— 


33.5 

35 

20 % 

1.00 

7 

7 

92% 

0% 

7 

7 

7 

7 

7 

7 

29.6 


130071.1 

35 

30% 

1.00 

7 

7 

48% 

0% 

7 

7 

7 

7 

7 

7 

60.1 

2990104.6 


Table 1: Comparison of the PBB and MIP solvers, each being given one hour per instance 


Recent work on workflow satisfiability has borrowed tech¬ 
niques from the literature on constraint satisfaction [3- In¬ 
deed, WSP may be regarded as a constraint satisfaction 
problem, albeit with some unusual features which makes the 
study of WSP of interest in its own right. Recent work in 
the constraint satisfaction community has made a distinc¬ 
tion between “hard” and “soft” constraints: the former must 
be satisfied, while the latter may be broken provided the 
“cost” of breaking the constraint is taken into account. 

The valued constraint satisfaction problem, or VCSP for 
short, was introduced by Schiex, Fargier and Verfaillie [21] 
as a unifying framework for studying constraint program¬ 
ming with soft constraints. The study of a special case of 
VCSP, called finite-valued VCSP, was initiated by Cohen et 
al. [8]. In this case, useful for many applications, all weights 
are in Z (i.e., finite) and the objective function is the sum of 
appropriate weights. Valued CSP has influenced our frame¬ 
work for defining costs and Valued WSP. 

Recent work on WSP introduced the notion of a pattern for 
user-independent constraints, and bespoke algorithms, opti¬ 
mised to solve WSP using patterns, have been developed (T] 
EZj- The branch-and-bound algorithm in Section r3.2l is influ¬ 
enced by the work of Karapetyan, Gagarin and Gutin [nj. 

The most closely related work in the literature on access 
control in workflows is that of Basin, Burri and Karjoth [2] , 
which considers the cost of modifying the authorisation pol¬ 
icy when the workflow is unsatisfiable. They encode the 
problem of minimizing this cost as a integer linear program¬ 


ming problem and use off-the-shelf software to solve the re¬ 
sulting problem. We tackle the problem of an unsatisfiable 
workflow specification in a different way. We assume the 
constraints and authorisation policy are fixed and instead 
associate costs with breaking the constraints and/or poli¬ 
cies. However, each violation will incur a cost and the goal 
of Valued WSP is to minimise that cost. Thus our ap¬ 
proach provides greater flexibility than that of Basin et al.-. 
we can break constraints as well as override the existing 
authorisation policy. Obviously, there may be constraints 
(arising from statutory requirements, say) that cannot be 
broken. Violation of such a constraint is simply assigned 
the maximum cost. And of course, we can always refuse to 
implement a plan proposed by the algorithm. 

Our work is also related to the growing body of research on 
risk-based and risk-aware access control [1[51[I11[I2]. In 
such approaches, the decision returned by policy decision 
point for a given access request is not necessarily a simple 
“allow” or “deny”. The decision may be a number in the 
range [0,1] indicating the risk associated with allowing the 
request, which allows the policy enforcement point to allow 
or deny the request on the basis of cumulative risk (either on 
a per-user or system basis). The decision may also include an 
obligation that must be fulfilled by the policy enforcement 
point or requester to ensure that the risk is recorded and/or 
mitigated appropriately. 
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There is little work in the security literature on risk-aware 
workflows. One exception is the MRARD framework of Han, 
Niand Chen m- However, the emphasis of their work (and 












(a) d = 20% and a = 1.00 (b) d = 10% and a = 0.75 

Figure 1: Comparison of the methods in terms of the ability to solve an instance within one hour 


of similar work in the business processing literature) is on the 
modelling and computation of risk, rather than determining 
an optimal assignment of users to steps in a workflow given 
the risk metrics. 

6. CONCLUDING REMARKS 

We have established a framework that enables us to rea¬ 
son about unsatisfiable workflow specifications by associat¬ 
ing costs with policy and constraint violations. This, in turn, 
enables us to formulate the Valued WSP, whose solution 
provides an assignment of users to steps that minimises the 
total cost of violations. We have developed a bespoke al¬ 
gorithm for solving Valued WSP and shown that its per¬ 
formance is far better than a generic solver, both in terms 
of the time taken to solve Valued WSP and the range of 
instances that can be solved in a reasonable amount of time. 

There are several interesting possibilities for future work. 
One obvious possibility is to move to a completely risk-based 
approach for the assignment of users to steps in workflows. 
Specifically, we retain the constraints but replace the au¬ 
thorisation policy with a risk matrix, associating each user- 
step pair with a risk. The goal would be to ensure that the 
risk associated with a workflow instance remains below some 
specified threshold. 

A second possibility arises from the idea of associating each 
pair (T, u) with a cost, which provides the basis for an alter¬ 
native “non-linear” approach to access control. Suppose that 
we consider a set of permissions P, as in conventional role- 
based access control, and we associate a cost u){Q,u) with 
each pair, where u is a user and Q is a subset of P. Given an 
RBAC policy, expressed as a user-role relation UA U x R 
and permission-role relation PA C i? x P, we write P(u) to 
denote the set of permissions for which u is authorised: that 
is, P{u) = {p € P : 3r € R, {u,r) G UA, {r,p) G PA}. Then 
we define the weight of the policy to be 

wa{UA,PA) = ^ w(P(m),w). 

u€U 

This then raises some interesting questions that may have 
practical value. We might, for example, consider the follow¬ 
ing problem: given inputs U, P, {cu(Q, u) : u £ U,Q C P} 
and integer k, compute a set of roles of P of cardinality k 
and relations UA C U xR and PA C RxP such that at least 
one user is authorised for every permission and wa{UA, PA) 


is minimised. Alternatively, we may insist that a user session 
does not exceed a “budget”, where the cost of a session in 
which user u invokes permissions Q is defined to be uj{Q,u). 
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APPENDIX 

Running Times of the Algorithms 

Figure [ 2 ] shows the running times of the two algorithms for 
two different choices of instance parameters. (Each point on 
the graphs is averaged over 20 instances.) Plotted on a log 
scale, the approximately linear growth in the the running 
times of the algorithms clearly demonstrates that the time 
required to solve Valued WSP grows exponentially as the 
number of steps k increases. The figure also shows that 
the speed of growth is similar for both methods. However, 
the figure also clearly illustrates that the PBB algorithm 
outperforms the MIP solver by several orders of magnitude. 



10 15 20 25 30 35 

k 

(a) d = 20%, a = 1.00 



(b) d = 10%, a = 0.75 

Figure 2: Run-times of PBB and MIP as a function of k 
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